P
US9213807B2ActiveUtilityPatentIndex 53

Detection of code injection attacks

Assignee: RAYTHEON BBN TECHNOLOGIES CORPPriority: Sep 4, 2013Filed: Sep 4, 2013Granted: Dec 15, 2015
Est. expirySep 4, 2033(~7.2 yrs left)· nominal 20-yr term from priority
Inventors:MARTZ ROBERTMATTHEWS DAVIDEDMISON JOSHUAVORSANGER GREG
G06F 21/52G06F 21/00G06F 21/554
53
PatentIndex Score
2
Cited by
22
References
16
Claims

Abstract

A method for detecting foreign code injected into a computer system including a processor and memory, the processor being configured to execute instructions stored in the memory, includes: detecting, on the computer system, an illegal instruction error; recording the illegal instruction error; determining whether a threshold condition is met; and generating an alert if the threshold condition is met.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method for detecting foreign code injected into a computer program executed by a heterogeneous computer system comprising a plurality of different processors each with different architecture and different native instruction set, and memory, the plurality of different processors being configured to execute instructions stored in the memory, the method comprising:
 executing a first portion of the computer program by a first processor having a first architecture and a first instruction set; 
 executing a second portion of the computer program by a second processor having a second architecture and a second instruction set different than the first instruction set; 
 detecting, on the heterogeneous computer system, an illegal instruction error; 
 recording the illegal instruction error; 
 determining whether a threshold condition for an attack on the heterogeneous computer system is met based on patterns of multiple previous attacks clustered together and the number of different architectures; and 
 generating an alert if the threshold condition for the attack on the heterogeneous computer system is met, wherein the illegal instruction error is triggered by an instruction encoded in a third instruction set different from the first and second instruction sets. 
 
     
     
       2. The method of  claim 1 , wherein the threshold condition further comprises exceeding a particular number of illegal instruction errors over a particular time period. 
     
     
       3. The method of  claim 1 , wherein determining whether the threshold condition is met comprises detecting the patterns using a neural network. 
     
     
       4. The method of  claim 1 , wherein the threshold condition comprises detecting the patterns using a Bayesian network. 
     
     
       5. The method of  claim 1 , further comprising:
 loading a plurality of instruction streams, each of the plurality of instruction streams being equivalent and being encoded in a different instruction set of a plurality of instruction sets; 
 executing, in a context, a first stream of the plurality of instruction streams; 
 stopping execution of the first stream at a first location of the first stream; and 
 executing, in the context, a second stream of the plurality of instruction streams at a second location of the second stream, the second location corresponding to the first location of the first stream, 
 wherein the first stream and the second stream are encoded in instruction sets different from the second instruction set. 
 
     
     
       6. The method of  claim 1 , wherein generating the alert comprises sending an email message or a text message. 
     
     
       7. The method of  claim 1 , further comprising shutting down the computer system when the threshold condition is met. 
     
     
       8. A computer system comprising a plurality of different processors each with different architecture and different native instruction set, and memory storing program instructions, the computer system being configured to execute instructions stored in the memory, the computer system being configured to:
 execute a first portion of the computer program by a first processor having a first architecture and a first instruction set; 
 execute a second portion of the computer program by a second processor having a second architecture and a second instruction set different than the first instruction set; 
 detect an illegal instruction error; 
 record the illegal instruction error; 
 determine whether a threshold condition for an attack on the heterogeneous computer system is met based on patterns of multiple previous attacks clustered together and the number of different architectures; and 
 generate an alert if the threshold condition for the attack on the heterogeneous computer system is met, wherein the illegal instruction error is triggered by an instruction encoded in a third instruction set different from the first and second instruction sets. 
 
     
     
       9. The computer system of  claim 8 , wherein the threshold condition further comprises exceeding a particular number of illegal instruction errors over a particular time period. 
     
     
       10. The computer system of  claim 8 , wherein the computer system is configured to determine whether the threshold condition is met by detecting the patterns using a neural network. 
     
     
       11. The computer system of  claim 8 , wherein the computer system is configured to determine whether the threshold condition is met by detecting the patterns using a Bayesian network. 
     
     
       12. The computer system of  claim 8 , wherein the computer system is further configured to:
 load a plurality of instruction streams, each of the plurality of instruction streams being equivalent and being encoded in a different instruction set of a plurality of instruction sets; 
 execute, in a context, a first stream of the plurality of instruction streams; 
 stop execution of the first stream at a first location of the first stream; and 
 execute, in the context, a second stream of the plurality of instruction streams at a second location of the second stream, the second location corresponding to the first location of the first stream, 
 wherein the first stream and the second stream are encoded in instruction sets different from the second instruction set. 
 
     
     
       13. The computer system of  claim 8 , wherein the computer system is configured to generate the alert by sending an email message or a text message. 
     
     
       14. The computer system of  claim 8 , wherein the computer system is further configured to shut down the computer system when the threshold condition is met. 
     
     
       15. A non-transitory computer readable medium embodying program instructions for execution by a heterogeneous computer system, the program instructions adapting the heterogeneous computer system for:
 executing a first portion of the computer program by a first processor having a first architecture and a first instruction set; 
 executing a second portion of the computer program by a second processor having a second architecture and a second instruction set different than the first instruction set; 
 detecting, on the heterogeneous computer system, an illegal instruction error; recording the illegal instruction error; 
 determining whether a threshold condition for an attack on the heterogeneous computer system is met based on patterns of multiple previous attacks clustered together and the number of different architectures; and 
 generating an alert if the threshold condition for the attack on the heterogeneous computer system is met, wherein the illegal instruction error is triggered by an instruction encoded in a third instruction set different from the first and second instruction sets. 
 
     
     
       16. The non-transitory computer readable medium of  claim 15 , wherein the program instructions further adapt the processing apparatus for:
 loading a plurality of instruction streams, each of the plurality of instruction streams being equivalent and being encoded in a different instruction set of a plurality of instruction sets; 
 executing, in a context, a first stream of the plurality of instruction streams; 
 stopping execution of the first stream at a first location of the first stream; and 
 executing, in the context, a second stream of the plurality of instruction streams at a second location of the second stream, the second location corresponding to the first location of the first stream, 
 
       wherein the illegal instruction error is triggered by a program instruction encoded in a first instruction set, the first instruction set being different from the instruction sets of the first stream and the second stream.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.